survival / donation-system-webapp Goto Github PK

This should check that the form can't be submitted if required fields are not filled in.

Just to be clear, there is no need to use javascript for this as the browser is equipped with validation logic. This is achieved by adding a required attribute to the field.

There might be other validations that we want to do apart from presence. For example, max="999" in the security code field. Hence this ticket to tackle the problem separately.

At the moment, the select element for the credit card expiry year in the donation form is hardcoded to show 18 years in advance from the current year. This has to be calculated automatically. We want to do it in the backend.

See our contributing guides.

Ask if ok to submit a form with neither of gift-aid checkboxes checked.

If not, can we enable a default e.g. always yes

Ruby 2.5 is out:

https://www.ruby-lang.org/en/news/2017/12/25/ruby-2-5-0-released/

Our current Ruby version is 2.4.1. Switch the Ruby version to 2.5.0

To get started

• Claim this issue by clicking the "Assignees" cog to the right and assigning yourself
• Check out our contributing guides

Steps for this issue:

• Install Ruby version 2.5.0 on your local system. How to do this depends on the Ruby version manager that you use. (this is an example for the rbenv manager)
• Set your Ruby version to 2.5.0. This again depends on your Ruby version manager.
• Change the Ruby version in the Gemfile of this project.
• Install the bundler gem for that version: gem install bundler.
• Run bundle install and check that the tests and the app work correctly.
• You may or may not have to upgrade some gems. If you have to, do it one at a time, like this:
  • run bundle update GEMNAME
  • Run the tests (check README), they should be green
  • Run the app (check README), it should work
  • commit!
• If everything works, update the Ruby version in the .travis.yml file
• When you are finished, push your branch and submit a PR with your changes.

See our contributing guides.

Should the deploy logic be extracted out of the webapp or does it make sense to have it live here?

It's a very specific deploy workflow, adapted to this specific webapp in particular.

See our contributing guides.

Add autoprefixer so that vendor prefixes are added where needed.

https://www.npmjs.com/package/autoprefixer

See our contributing guides.

Sinatra comes with some protection out of the box, but still there are some extra things we can do:

Input validation:

• At the moment we have basic native validation. Are there any relevant restrictions we can add?

Input sanitization:

• Some kind of tags stripping.

Output Escaping

• We could use the ERB::Util method html_escape (aliased as the shorter h) on the params received from the form before sending them to Stripe/Salesforce/etc.. See: http://ruby-doc.org/stdlib-1.9.3/libdoc/erb/rdoc/ERB/Util.html#method-c-h. Not too sure about this though, it's meant to be used more when spitting data to a view.

Setting up CSP:

• Either setting the HTTP headers in Sinatra or adding a meta tag:

get '/foo' do
    headers['Content-Security-Policy'] = 'script-src none'

<meta http-equiv="Content-Security-Policy" content="script-src none">

Using HttpOnly cookies:

• Are we going to use cookies on this? https://www.owasp.org/index.php/HttpOnly

Some useful guides:

• HTML5 Security Cheatsheet
• XSS (Cross Site Scripting) Prevention Cheat Sheet
• XSS Filter Evasion Cheat Sheet
• I’m harvesting credit card numbers and passwords from your site. Here’s how.

See our contributing guides.

Script will fail if required utilities such as npm and wget are not present on the system.

Presently, the script will carry on with the rest of the commands but it should halt if any of the previous commands fail.

(update by @octopusinvitro)

What to do:

Update the README section "To initialise the project" right after the title to indicate that wget and npm and ruby need to be installed to use the application. Provide helpful links, for example:

• wget: mac | ubuntu
• npm: node version manager | node and npm
• ruby: rbenv manager

See our contributing guides.

This is a business requirement because the supporter team wants to be able to separate them so that they can use "Dear blah" in Mailchimp templates.

For the id and name of the input, check names under autocomplete for given name and family name
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/Input

See our contributing guides.

It would be nice to have a new account for GA now that we are going to do a rewrite.
This is so that new data is not mixed with old data.
Also, the goals etc. are probably going to be different.

I have created a test GA account with our main account. We can use that and this repo to tune the configuration.

See our contributing guides.

Discussion open on incorporating Elm or not:

Pros

• As opposed to JavaScript, Elm is a proper programming language
• Also proper functional language
• The error messages and time travel make it easy to debug

Cons

• An extra layer of complexity
• An extra language to learn for beginners wanting to contribute to the repo
• An extra language to learn for designers

I don't think we should incorporate the new shiny technology just because it's shiny, but because it will solve a problem for us.

See our contributing guides.

I think it could make sense to try and serve a basic page when users are not connected to the internet, something that informs you that you can not do a donation at the moment but you can try again once you have internet back.

Discussion open on what to present the user with. Maybe the content of that page is more of a UX person decision, but it doesn't hurt to start thinking about it ourselves.

See our contributing guides.

Look into more human friendly solutions as the 'I am not a robot' thing has confused supporters in the past.

If we can't find one, maybe we will need to implement something simple that generates an image and compares the number

See our contributing guides.